Saturday, January 24, 2015

Is Android's BroadAnywhere really a threat that an antivirus can protect from? Do Android phones need antiviruses?

BroadAnywhere

Firstly, BroadAnywhere is not a virus or malware. It's just an ordinary software bug in Android.

I became aware of this after I installed an antivirus on an Android phone and the antivirus said it detected the BroadAnywhere vulnerability and was now able to protect the phone from it. Made me curious, and I dug up the actual flaw and its solution:

BroadAnywhere is classified as Bug: 17356824 in Android's Operating System code and won't be found in any Android OS that's released after September 10 2014; and that would be Android version 5.0 onward.

App's in Android communicate with each other using the Intent object. When your app gives a PendingIntent (a reference token) to another app, you're giving it the right to perform the operation you specify (the Intent), using the same identity and permissions as your app. If your app does not cancel the PendingIntent, the other app will be able to continue using it even if your app is closed/killed.

Bug 17356824 was a problem, because the Add Account Settings section in Android needed to identify the app that was invoking it and the PendingIntent it created for it, unwittingly allowed the invoker app to not only send it's identity information but also allowed it to launch activities, services or broadcasts. So anyone can create an app that misuses this PendingIntent, and either make your phone crash or wipe all data in your phone or send spam to your phone or send fake SMS'es.

Now the interesting part is that antiviruses for mobile phones claim to be able to protect us from this problem. I asked on StackExchange's Android forum, got an upvote, but no reply.

Antiviruses

Windows users would be all-too-familiar with viruses and antiviruses that "catch" and "destroy" them.

Antiviruses use two techniques:
1. Virus signatures: These are just a sequence of bytes that the antivirus searches for, which will be unique for a certain virus. The same way you do a string search. Programmers started creating viruses that were capable of encrypting and decrypting themselves (and thus hiding their signature) and capable of creating variants of their signature each time they encrypted or decrypted themselves. Next came polymorphic viruses which changed the signature of the encryptor and decryptor itself, each time it replicated.
2. Heuristics: The file being scanned is allowed to run in a special virtual environment (something like a sandbox) and it searches for virus-like behaviour (replication, overwriting files or hiding suspicious files).

... and even after I killed a virus, antiviruses in Windows would identify the file as a virus. That's because of Virus Signatures.

So can an Android Antivirus protect you from BroadAnywhere?

The websites of these antiviruses claim to protect you, but haven't offered any explanation of how they do it. They definitely can't peep inside an app and check the lines of code to see what kind of an Intent is being sent, but if the antivirus company maintains a very-frequently updated list of malicious apps, it might be able to warn you that an app you're about to install is harmful.

Question is, do they really do it? It'd require a dedicated team who would actively search for malicious apps and test them. Would a company do so much for free? Or would they make their money by tracking your phone and the data in it (given the high level of permissions that antivirus app's request)? It's a matter of trust.

Do you need an Antivirus at all?

Like in Linux, where your system can get infected only if you deliberately give root access to a malicious program, the one way your phone can be susceptible to viruses or malware is if you decide to give an app elevated permissions on your phone.

So to stay safe, only install apps from trusted sources like Google Play and be a bit suspicious and do a followup of apps that ask for permissions that seem un-necessary. If you're careful, you won't need an antivirus. It's not just about data and security. Many apps gather data about you and your location. Your privacy is also important.

________________________________

Update

In answer to the queries in the comments, the answer is "no". The average Android user (99% of users) does not need an antivirus.

Google's lead engineer for Android security himself speaks of why an antivirus is un-necessary and what the more pressing concerns are.Answer to a comment below:@Scott: I havent tried this yet, but from what I hear, even if your phone is rooted, an app can cause damage only if you give it permission to. So I would assume malware which exploits broadanywhere through another app would be able to do so only if you allow the app to execute those commands.SuperSU available on Google Play is said to give you the ability to control which apps you want to run as root, which commands those apps run and even to be able to give you the ability to identify and stop malicious apps.The Android forums can give you more info on this. Do post back on NRecursions if you have feedback to share! :-)The best security you can have is in being aware of what you are installing and not connecting to unknown Wi-fi's. When in doubt, ask on the forums.

Some people have emailed me asking if they could thank me
for having given them knowledge. The best way
to thank me is by contributing to Open Source. Being a sweetheart if you'd like to give a more personal thank you, then I don't really like the idea of monetary donations, but maybe a wishlist wouldn't be that bad.

Thank you @Navin. This information does clear up most of my uncertainty. It seems implied, as well, that when I chose to root my phone, I also chose to dance a bit closer to the vulnerability pit. So then, a rooted phone is more threatened by this OS bug, right? I definitely do not want to traipse into that pit. The inference I draw from your information is that it's important to RTFM a lot, especially when I'm considering a new executable and/or one with many permissions. Thanks again for your clarifications and any further insight you choose to share. ~Scott

Thank you everyone. I've consolidated my replies as an update to the blog post and since I wanted to add a more reliable reference, I added a link to an interview with Adrian Ludwig; Google's lead for Android security.

@Andika: Broadanywhere is not something you can fix. You need to get Android version 5 or higher in which the bug has been fixed.@Everyone: I would like to politely refrain from answering more questions on the topic. The right subject matter experts who can answer your questions best are the Android developers and antivirus developers. There are various internet forums where they are available for discussion. Mine is just a humble blog post and am glad it has offered y'all more clarity, but I always insist on getting information from the correct and credible sources. Cheers! :-)

Special Posts

Etcetera

You can call me a versatile creator. I'm known for quickly adopting new technologies and creating good quality working products with them. Apart from spending most of my life getting people to pronounce my name correctly, I also have a taste for fun, adventure and unprejudiced thought.